Data Protection Office 1

Training Course on Data Protection

Nico HilbertAssistant to the Data Protection Officer

xxxx.xxxxxxx@xxx.xx.xxx

March 9th, 2005 Notification to the Data

Protection Officer (DPO) and Access to the Register

Data Protection Office 2

Objective of the presentation

General principles for the Register General principles for Notifications Principles for Commission specific

aspects on Notifications - The Actors Why is the Notification system

Online? Objective of the IS NDPO&R

Data Protection Office 3

Principles for the Register (1)

What is the “Register” of the DPO : The collection of all “Notifications” send to

the DPO by “Controllers”; Why is a “Register” needed?

To conform to Regulation 45/2001 as defined in article 26 - Register :

“A register of processing operations notified in accordance with Article 25 shall be kept by each Data Protection Officer”;

“The registers may be inspected by any person”;

Data Protection Office 4

Principles for the Register (2)

What is the contents of the “Register”? Article 26 says: “The register shall contain at least the

information referred to in Article 25(2)(a) to (g)”; (a) the name and address of the controller; (b) the purpose of the processing; (c) a description of the categories of data subjects and of the data or categories of data relating to them; (d) the legal basis of the processing; (e) the recipients or categories of recipient disclosed; (f) a general indication of the time limits for blocking and erasure of the different categories of data; (g) proposed transfers of data to third countries or international organisations.

Data Protection Office 5

Principles for Notifications (1)

What is a “Notification” and who is responsible for it? Prior notice of the “Controller” to the DPO

of any processing operation (manual & electronic) in which personal data is involved;

When is a “Notification” needed? If personal data is processed;

Why is a “Notification” needed? To conform to Regulation 45/2001 :

Data Protection Office 6

Principles for Notifications (2)

as defined in article 25 - Notification to the Data Protection Officer;

as defined in articles 24.1(e) - Data Protection Officer + 27 - Prior checking

What is the contents of a “Notification”? Same information as requested by article 26 (Article

25(2)(a) to (g)”) + paragraph (h) of article 25; Article 25 (h) a general description allowing a preliminary

assessment to be made of the appropriateness of the measures taken pursuant to Article 22 to ensure security of processing.

Data Protection Office 7

Principles for Commission specific aspects on Notifications (1)

Actors (Players) in the context of a “Notification” : European Data Protection Supervisor

(EDPS): DPO submits to EDPS Notification for Prior checking;

Data Protection Officer (DPO): receives the Notification in the Register and gives prior-advice on it;

Controller: is responsible for the Notification;

Data Protection Office 8

Principles for Commission specific aspects on Notifications (2)

Delegated Controller: A Delegated Controller may be designated by the Controller to prepare under his/her responsibility the notification to the DPO and to assure all the related co-ordination with the Data Protection Coordinator and others concerned with data protection inside or outside the respective Directorate General.

Data protection Co-ordinator (DPC): gives advice and helps the Controller and Delegated Controller;

Processor(s): process(es) personal data on behalf of the Controller;

Data Protection Office 9

Principles for Commission specific aspects on Notifications (3)

Project leader/Developer/IRM/HU DC: help to fill-in Notification concerning specific aspects related to their implication in the definition resp. execution/operation of the processing.

Data Protection Office 10

Interaction between Main Players

European Data Protection Supervisor (EDPS)

Data Protection Officer (DPO)

Register

DG Data

ProtectionCoordinator

Controller

Controller

ControllerController

Data Subjects

Any body

Data Protection Office 11

The Online Information System NDPO&R

Implements Regulation 45/2001 Browser based (Internet Explorer) Online Notification System and Access

to the Register which translate articles 25+26+

Writes notifications into the DPO’s “Register” - translates article 26

Has a built-in workflow system (see actors)

Data Protection Office 12

Why is the Notification system Online?

To avoid any interaction of the DPO with the content of the final Notification

To avoid that the DPO is involved in the process of writing notifications in the Register

To give an integrated help (legal and question based) To have all legal references needed available online To interact electronically between actors in preparing

notifications To keep independent electronic track of prior advice

by DPO and EDPS for legal reasons To have integrated access of Data Subjects

Data Protection Office 13

Objective of the IS NDPO&R

To implement (parts of) Regulation 45/2001 mainly articles 25 and 26

The prior Notification of Controllers to the DPO of all processing operations performed upon personal data by the institution

The creation of the Register of the DPO The public access to the Register as requested by

article 26

Data Protection Office 14

Notification to the Data Protection Officer (DPO)

Since October 2003 the DPO has also made available on his web site on IntraComm a Simplified Notification System for small adhoc “processing of personal data” this new system is compatible with the

standard online Notification System Any Questions? Thank you for your attention!